On November 18, the official download site for the Monero CLI served a malicious binary for less than an hour. The malicious version of the download was designed to steal Monero from unsuspecting victims.
An entity compromised the box responsible for serving official binaries for the Monero CLI. The date of the breach has not been disclosed publicly as of this article. On November 18, an attacker—most likely the same one responsible for the breach—switched the legitimate binary for the infected version. Users quickly caught on and maintainers switched downloads to a fallback source. An investigation into the incident is underway.
For less than one hour on November 18, the download link for the 64 bit Linux CLI binary (version 0.15.0.0 Carbon Chamaeleon) served a malicious copy of Monero Carbon Chamaeleon. The creator of the malicious version, according to Serhack, a security researcher (and the author of Mastering Monero), forked the binary from commit f07c326f1. Checking the version of the binary of the version with
--version shows the commit in question: v0.15.0.0-f07c326f1.
Not long after the attacker had swapped the files, a user of the CLI opened an issue on the Monero Project’s Github repo and pointed out the mismatched hashes. Anyone can check the hashes of any binary; the Monero Project signs the SHA256 hashes of every binary with the GPG key of the lead maintainer, Riccardo Spagni aka Fluffypony. The list of signed hashes is available here: GetMonero.org Hashes. The easy way to access the hashes is via command line:
wget -O hashes.txt https://getmonero.org/downloads/hashes.txt and assuming the user has already imported Fluffypony’s key, they can easily verify the list of hashes via
gpg --verify hashes.txt. The output should display “Good Signature” as well as the subkey used to sign the file.
Although the hash displayed on GetMonero.org matched the correct hash, the actual hash of the binary did not. Without manually verifying the hash, a user would not have noticed the mismatch until after losing their coins and posting to Reddit about the issue.
According to Serhack’s preliminary report, the hash of the malicious binary is 7ab9afbc5f9a1df687558d570192fbfe9e085712657d2cfa5524f2c8caccca31. The researcher is still conducting an analysis of the file. It is available for download here (anonfile).
Another user who analysed the file concluded that the malicious binary “only” steals coins (as opposed to stealing coins and compromising the machine).
From what I’ve seen so far it seems to be a simple coin-stealer. I’m probably wrong though. But it doesn’t seem to alter system files, at least initially, and it doesn’t contact any servers. If it does compromise the machine, it’s very sneaky.
BinaryFate, a member of the core team, posted a warning on Reddit.
If you downloaded binaries in the last 24h, and did not check the integrity of the files, do it immediately. If the hashes do not match, do NOT run what you downloaded. If you have already run them, transfer the funds out of all wallets that you opened with the (probably malicious) executables immediately, using a safe version of the Monero wallet (the one online as we speak is safe – but check the hashes).
Disappointingly, no official warning exists elsewhere. H/t to Dark.fail for pointing this out on Twitter.
Verifying the legitimacy of onion service mirrors is a useful practice for nearly all users of the Tor Browser.